1 / 15

High-Speed String Matching Hardware for Enhanced Network Intrusion Detection

This paper discusses advancements in high-speed string matching hardware aimed at improving Network Intrusion Detection Systems (NIDS). It introduces techniques for high-throughput finite state machine (FSM) design, such as multi-threading and high-speed interface circuit design to optimize performance. The paper emphasizes minimizing FSM interconnect delays to achieve throughput exceeding 4 Gbps. Experimental results validate the effectiveness of the proposed methods, showcasing the potential for deploying robust and efficient NIDS capable of swiftly classifying and verifying network packets in real-time.

ila-richard
Télécharger la présentation

High-Speed String Matching Hardware for Enhanced Network Intrusion Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Implementing High-speed String Matching Hardware for Network Intrusion Detection Systems Author: Atul Mahajan, Benfano Soewito, Sai K. Parsi, Ning Weng and Haibo Wang Publisher: Proceedings of the 16th international ACM/SIGDA symposium on Field programmable gate arrays, FPGA 2008 Presenter: Chin-Chung Pan Date:2009/11/11

  2. Outline • Introduction • Techniques for high-throughput verifier Design • Multi-threading FSM • High-speed interface circuit design • Minimizing FSM interconnect delay • Experimental Results

  3. Introduction • The classifier arranges incoming packets into three categories: malicious, suspected or benign. • Only suspected packets are fed to FSMs (verifiers) for further verification. In addition, classifiers confine the patterns that need to be checked for each suspected packet.

  4. Outline • Introduction • Techniques for high-throughput verifier Design • Multi-threading FSM • High-speed interface circuit design • Minimizing FSM interconnect delay • Experimental Results

  5. Multi-threading FSM • We use P[i] to represent the ith byte of the packet to be examined by the FSM. S[i] denotes the state that FSM reaches after reading the ith byte of the packet.

  6. Multi-threading FSM • During the odd clock cycles, data from Packet P1 are fed to the FSM. In an even clock cycle, the FSM takes input from Packet P2.

  7. High-speed interface circuit design P1[4] P2[4] P1[3] P2[3] P1[2] P2[2] P1[1] P2[1] P1[1]

  8. Minimizing FSM interconnect delay • the input packet path not only has large fan-out but also travels long distance.

  9. Minimizing FSM interconnect delay P2[2] P2[1] CD GH EF AB P1[1] P1[1] P1[2] P1[1] P1[2] P1[1] P1[2] CD AB GH EF P2[1] P2[1] P2[2] P2[2] P2[1] IJ KL

  10. Outline • Introduction • Techniques for high-throughput verifier Design • Multi-threading FSM • High-speed interface circuit design • Minimizing FSM interconnect delay • Experimental Results

  11. Experimental Results • FSM clock frequency versus number of threads. It’s maximum throughput is above 4 Gbits/s.

  12. Experimental Results • Interconnect delay with different FSM sizes.

  13. Experimental Results • DFF utilization in multi-threading FSMs.

  14. Experimental Results • The design approaches used in the study are: (a) a single FSM with the size of 200, (b) two FSMs of the size 100, and (c) four FSMs of the size 50.

  15. Experimental Results • After four pipeline stages are added to some input path branches, the delay of partitioned interconnect segments can be quickly reduced to less than 2ns. The FSMs operation at the clock frequency of 500MHz.

More Related